MITRE has released its annual list of the top 25 most dangerous software weaknesses for 2024, highlighting critical vulnerabilities that pose significant risks to software systems worldwide.
This list, developed in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), is a crucial resource for developers, security professionals, and organizations aiming to bolster their cybersecurity defenses.
The 2024 CWE Top 25 list identifies the most severe and prevalent software weaknesses linked to over 31,770 Common Vulnerabilities and Exposures (CVE) records.
Adversaries often exploit these weaknesses to compromise systems, steal sensitive data, or disrupt essential services. The list is based on an analysis of CVE records from June 2023 to June 2024, focusing on vulnerabilities included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar
Top 10 Most Dangerous Software Weaknesses
Here is a table listing the top 25 most dangerous software weaknesses of 2024 according to MITRE:
| Rank | Weakness Name | CWE ID | Score | CVEs in KEV | Change |
|---|---|---|---|---|---|
| 1 | Cross-site Scripting | CWE-79 | 56.92 | 3 | +1 |
| 2 | Out-of-bounds Write | CWE-787 | 45.20 | 18 | -1 |
| 3 | SQL Injection | CWE-89 | 35.88 | 4 | 0 |
| 4 | Cross-Site Request Forgery (CSRF) | CWE-352 | 19.57 | 0 | +5 |
| 5 | Path Traversal | CWE-22 | 12.74 | 4 | +3 |
| 6 | Out-of-bounds Read | CWE-125 | 11.42 | 3 | +1 |
| 7 | OS Command Injection | CWE-78 | 11.30 | 5 | -2 |
| 8 | Use After Free | CWE-416 | 10.19 | 5 | -4 |
| 9 | Missing Authorization | CWE-862 | 10.11 | 0 | +2 |
| 10 | Unrestricted Upload of File with Dangerous Type | CWE-434 | 10.03 | 0 | 0 |
| 11 | Code Injection | CWE-94 | 7.13 | 7 | +12 |
| 12 | Improper Input Validation | CWE-20 | 6.78 | 1 | -6 |
| 13 | Command Injection | CWE-77 | 6.74 | 4 | +3 |
| 14 | Improper Authentication | CWE-287 | 5.94 | 4 | -1 |
| 15 | Improper Privilege Management | CWE-269 | 5.22 | 0 | +7 |
| 16 | Deserialization of Untrusted Data | CWE-502 | 5.07 | 5 | -1 |
| 17 | Exposure of Sensitive Information to an Unauthorized Actor | CWE-200 | 5.07 | 0 | +13 |
| 18 | Incorrect Authorization | CWE-863 | 4.05 | 2 | +6 |
| 19 | Server-Side Request Forgery (SSRF) | CWE-918 | 4.05 | 2 | 0 |
| 20 | Improper Restriction of Operations within the Bounds of a Memory Buffer | CWE-119 | 3.69 | 2 | -3 |
| 21 | NULL Pointer Dereference | CWE-476 | 3.58 | 0 | -9 |
| 22 | Use of Hard-coded Credentials | CWE-798 | 3.46 | 2 | -4 |
| 23 | Integer Overflow or Wraparound | CWE-190 | 3.37 | 3 | -9 |
| 24 | Uncontrolled Resource Consumption | CWE-400 | 3.23 | 0 | +13 |
| 25 | Missing Authentication for Critical Function | CWE-306 | 2.73 | 5 | -5 |
This table provides a comprehensive overview of the top 25 software weaknesses, including their CWE IDs, scores, number of CVEs in the Known Exploited Vulnerabilities (KEV) catalog, and changes in ranking compared to the previous year.
The CWE Top 25 list is invaluable for guiding security investments and policies. By understanding the root causes of these vulnerabilities, organizations can implement strategies to prevent them from occurring.
This proactive approach enhances security and results in cost savings by reducing the need for post-deployment fixes.
Organizations are encouraged to integrate the CWE Top 25 into their software development lifecycle and procurement processes. By prioritizing these weaknesses, companies can mitigate risks and demonstrate a commitment to cybersecurity, enhancing customer trust.
Adopting Secure by Design practices is crucial for developers and security teams. This involves incorporating security measures at every stage of software development to prevent vulnerabilities from being introduced.
As cyber threats evolve, staying informed about the most dangerous software weaknesses is essential for maintaining robust cybersecurity defenses. The 2024 CWE Top 25 list provides a strategic framework for addressing these challenges and protecting critical systems from exploitation.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free